| [vhffs-dev] [2273] Panel is now sending a auth confirmation code for password change requests. |
[ Thread Index |
Date Index
| More vhffs.org/vhffs-dev Archives
]
Revision: 2273
Author: gradator
Date: 2015-02-23 00:44:09 +0100 (Mon, 23 Feb 2015)
Log Message:
-----------
Panel is now sending a auth confirmation code for password change requests. Fixes bug #233.
Modified Paths:
--------------
trunk/vhffs-api/src/Vhffs/Panel/Auth.pm
trunk/vhffs-panel/index.pl
Modified: trunk/vhffs-api/src/Vhffs/Panel/Auth.pm
===================================================================
--- trunk/vhffs-api/src/Vhffs/Panel/Auth.pm 2015-02-12 23:27:31 UTC (rev 2272)
+++ trunk/vhffs-api/src/Vhffs/Panel/Auth.pm 2015-02-22 23:44:09 UTC (rev 2273)
@@ -152,25 +152,20 @@
# username submitted
my $user = Vhffs::User::get_by_username( $vhffs, scalar $cgi->param('username') );
if( defined $user and $user->{'state'} == Vhffs::Constants::ACTIVATED ) {
+ require Digest::MD5;
- # create a new password for this user
- my $password = Vhffs::Functions::generate_random_password();
- $user->set_password( $password );
- $user->commit;
+ # generate a timed-hash so we can verify how old is the confirm code
+ my $t = time();
+ $t -= $t%900; # 15min
+ my $confirmurl = $vhffs->get_config->get_panel->{'url'}.'/?do=lostconfirm;user='.$user->get_username.';auth='.Digest::MD5::md5_hex($user->get_password.$t);
- my $mu = new Vhffs::Services::MailUser( $vhffs, $user );
- if( defined $mu and defined $mu->get_localpart ) {
- $mu->get_localpart->set_password( $password );
- $mu->get_localpart->commit;
- }
-
- # Send a mail with plain text password inside
- my $subject = sprintf('Password changed on %s', $vhffs->get_config->get_host_name );
- my $content = sprintf("Hello %s %s,\n\nYou asked for a new password, here are your new login information:\nUser: %s\nPassword: %s\n\n%s Administrators\n", $user->get_firstname, $user->get_lastname, $user->get_username, $password , $vhffs->get_config->get_host_name );
+ # Send a mail with confirm hash
+ my $subject = sprintf('Confirm password change on %s', $vhffs->get_config->get_host_name );
+ my $content = sprintf("Hello %s %s,\n\nYou probably asked for a new password, please confirm password change using the following URL:\n%s\n\n%s Administrators\n", $user->get_firstname, $user->get_lastname, $confirmurl, $vhffs->get_config->get_host_name );
$user->send_mail_user( $subject, $content );
$panel->render('anonymous/lost-password-ack.tt',
- { message => sprintf( gettext('Please wait %s, a new password will be sent to you in a few minutes...'), $user->get_username ) },
+ { message => sprintf( gettext('%s, a confirmation code was sent to the email address you set, you should receive it very soon...'), $user->get_username ) },
'anonymous.tt' );
}
else {
@@ -180,4 +175,54 @@
}
}
+sub lostconfirm {
+ my $panel = shift;
+ my $vhffs = $panel->{'vhffs'};
+ my $cgi = $panel->{'cgi'};
+
+ # username submitted
+ my $user = Vhffs::User::get_by_username( $vhffs, scalar $cgi->param('user') );
+ goto FAIL unless ( defined $user and $user->{'state'} == Vhffs::Constants::ACTIVATED );
+
+ # check auth code
+ my $auth = $cgi->param('auth');
+ goto FAIL unless defined $auth;
+
+ my $t = time();
+ $t -= $t%900; # 15min
+
+ # allow auth code for 1h to 1h15
+ my $i;
+ for ($i = 0; $i < 4; $i++) {
+ last if Digest::MD5::md5_hex($user->get_password.$t) eq $auth;
+ $t -= 900;
+ }
+ goto FAIL if $i == 4;
+
+ # create a new password for this user
+ my $password = Vhffs::Functions::generate_random_password();
+ $user->set_password( $password );
+ $user->commit;
+
+ my $mu = new Vhffs::Services::MailUser( $vhffs, $user );
+ if( defined $mu and defined $mu->get_localpart ) {
+ $mu->get_localpart->set_password( $password );
+ $mu->get_localpart->commit;
+ }
+
+ # Send a mail with plain text password inside
+ my $subject = sprintf('Password changed on %s', $vhffs->get_config->get_host_name );
+ my $content = sprintf("Hello %s %s,\n\nYou asked for a new password, here are your new login information:\nUser: %s\nPassword: %s\n\n%s Administrators\n", $user->get_firstname, $user->get_lastname, $user->get_username, $password , $vhffs->get_config->get_host_name );
+ $user->send_mail_user( $subject, $content );
+
+ $panel->render('anonymous/lost-password-ack.tt',
+ { message => sprintf( gettext('%s, a new password was sent to the email address you set, you should receive it very soon...'), $user->get_username ) },
+ 'anonymous.tt' );
+ return;
+FAIL:
+ $panel->render('anonymous/lost-password-ack.tt',
+ { message => gettext('Password recovery failed!') },
+ 'anonymous.tt' );
+}
+
1;
Modified: trunk/vhffs-panel/index.pl
===================================================================
--- trunk/vhffs-panel/index.pl 2015-02-12 23:27:31 UTC (rev 2272)
+++ trunk/vhffs-panel/index.pl 2015-02-22 23:44:09 UTC (rev 2273)
@@ -62,13 +62,16 @@
my $do = ( $cgi->url_param('do') or 'login' );
# -- anonymous
- if( $do eq 'login' or $do eq 'lost' or $do eq 'subscribe' or $do eq 'logout' ) {
+ if( $do eq 'login' or $do eq 'lost' or $do eq 'lostconfirm' or $do eq 'subscribe' or $do eq 'logout' ) {
if( $do eq 'login' ) {
require Vhffs::Panel::Auth;
Vhffs::Panel::Auth::login( $panel );
} elsif( $do eq 'lost' ) {
require Vhffs::Panel::Auth;
Vhffs::Panel::Auth::lost( $panel );
+ } elsif( $do eq 'lostconfirm' ) {
+ require Vhffs::Panel::Auth;
+ Vhffs::Panel::Auth::lostconfirm( $panel );
} elsif( $do eq 'subscribe' ) {
require Vhffs::Panel::Subscribe;
Vhffs::Panel::Subscribe::subscribe( $panel );